From 2f416b62b3703c73329273cbe2f9b0bf3931c33e Mon Sep 17 00:00:00 2001 From: qoijjj <129108030+qoijjj@users.noreply.github.com> Date: Thu, 25 Jan 2024 11:31:21 -0800 Subject: [PATCH] improve: add additional chromium hardening via policy --- .../chromium/policies/managed/hardening.json | 30 +++++++ .../policies/managed/hardening.json.readme.md | 85 +++++++++++++++++++ 2 files changed, 115 insertions(+) create mode 100644 config/files/usr/etc/chromium/policies/managed/hardening.json create mode 100644 config/files/usr/etc/chromium/policies/managed/hardening.json.readme.md diff --git a/config/files/usr/etc/chromium/policies/managed/hardening.json b/config/files/usr/etc/chromium/policies/managed/hardening.json new file mode 100644 index 0000000..519b33c --- /dev/null +++ b/config/files/usr/etc/chromium/policies/managed/hardening.json @@ -0,0 +1,30 @@ +{ + "DefaultJavaScriptJitSetting": 2, + "DefaultSensorsSetting": 2, + "EnableMediaRouter": false, + "SuggestedContentEnabled": false, + "AccessibilityImageLabelsEnabled": false, + "BackgroundModeEnabled": false, + "BlockThirdPartyCookies": true, + "ChromeCleanupReportingEnabled": false, + "ChromeVariations": 1, + "ClickToCallEnabled": false, + "DnsOverHttpsMode": "automatic", + "HttpsOnlyMode": "force_enabled", + "MediaRecommendationsEnabled": false, + "MetricsReportingEnabled": false, + "NetworkPredictionOptions": 2, + "PaymentMethodQueryEnabled": false, + "PromotionalTabsEnabled": false, + "RemoteDebuggingAllowed": false, + "SafeSitesFilterBehavior": 0, + "SearchSuggestEnabled": false, + "SharedClipboardEnabled": false, + "ShowFullUrlsInAddressBar": true, + "SpellCheckServiceEnabled": false, + "SyncDisabled": true, + "TranslateEnabled": false, + "UrlKeyedAnonymizedDataCollectionEnabled": false, + "WebRtcEventLogCollectionAllowed": false, + "WebRtcIPHandling": "disable_non_proxied_udp" +} \ No newline at end of file diff --git a/config/files/usr/etc/chromium/policies/managed/hardening.json.readme.md b/config/files/usr/etc/chromium/policies/managed/hardening.json.readme.md new file mode 100644 index 0000000..e93dfe4 --- /dev/null +++ b/config/files/usr/etc/chromium/policies/managed/hardening.json.readme.md @@ -0,0 +1,85 @@ +*The policies set here are a subset of those found in the [brace policy file](https://github.com/divestedcg/Brace/blob/master/brace/etc/chromium/policies/managed/brace.json). All policies that are deprecated, identical to the default, or only for ChromeOS have been removed.* + +*Disable Javascript JIT* +"DefaultJavaScriptJitSetting": 2 + +*Do not allow any site to access sensors* +"DefaultSensorsSetting": 2 + +*Disable Google Cast* +"EnableMediaRouter": false + +*Disable Suggested Content* +"SuggestedContentEnabled": false + +*Disable fetching labels for unlabelled images* +"AccessibilityImageLabelsEnabled": false + +*Disable background mode* +"BackgroundModeEnabled": false + +*Disable third party cookies* +"BlockThirdPartyCookies": true + +*Don't report Chrome Cleanup results* +"ChromeCleanupReportingEnabled": false + +*Permit Chrome Variations only for critical fixes* +"ChromeVariations": 1 + +*Disable click to call* +"ClickToCallEnabled": false + +*Automatically use DNS-over-HTTPS if it's available* +"DnsOverHttpsMode": "automatic" + +*Force enable HTTPS-Only Mode* +"HttpsOnlyMode": "force_enabled" + +*Hide media recommendations* +"MediaRecommendationsEnabled": false + +*Disable usage and crash reporting* +"MetricsReportingEnabled": false + +*Disable network prediction* +"NetworkPredictionOptions": 2 + +*Disable payment method API* +"PaymentMethodQueryEnabled": false + +*Disable full-tab promotions* +"PromotionalTabsEnabled": false + +*Disable remote debugging* +"RemoteDebuggingAllowed": false + +*Disable sending URLs for content filtering* +"SafeSitesFilterBehavior": 0 + +*Disable search suggestions* +"SearchSuggestEnabled": false + +*Disable cross-device clipboard sharing* +"SharedClipboardEnabled": false + +*Show full urls in the address bar* +"ShowFullUrlsInAddressBar": true + +*Disable online spellchecking service* +"SpellCheckServiceEnabled": false + +*Disable sync services* +"SyncDisabled": true + +*Disable translate services* +"TranslateEnabled": false + +*Disable URL-keyed anonymized data collection* +"UrlKeyedAnonymizedDataCollectionEnabled": false + +*Disable WebRTC event log collection and uploading* +"WebRtcEventLogCollectionAllowed": false + +*For WebRTC, use TCP on the public-facing interface, and will only use UDP if supported by a configured proxy.* +"WebRtcIPHandling": "disable_non_proxied_udp"